STATEMENT OF POLICY

This policy applies to all uses of University IT Resources. Any individual or entity using IT Resources consents and agrees to comply with all of the terms and conditions set forth in this policy, all other applicable University policies and regulations, and applicable local, state and federal laws and regulations concerning the use of IT Resources.

The following uses of IT Resources are prohibited:

Circumvention of any security measure of Purdue University or another entity.

Intentional use, distribution or creation of viruses, worms or other malicious software.

Accessing data that is not publicly available, does not belong to the user and for which the user does not have explicit permission to access; or accessing IT Resources in a manner designed to circumvent access limitations to public or restricted-access data (e.g., replicating a database by automated queries) without permission.

Use of IT Resources for organized political activity that is inconsistent with the University’s tax-exempt status.

Use of IT Resources that disables other IT Resources, consumes disproportionate IT Resources such that other users are denied reasonable access to those resources or materially increases the costs of IT Resources.

Use of IT Resources that violates any local, state or federal law or regulation or any other University policy or regulation, including without limitation, Purdue policies on Data Classification and Governance (VII.B.6), Anti-Harassment (III.C.1) and Violent Behavior (IV.A.3).

Use of IT Resources for any purpose that could lead directly or indirectly to Financial Conflicts of Interest, unless such use has been approved in advance in accordance with Purdue policies on Individual Financial Conflicts of Interest (III.B.2) and Conflicts of Commitment and Reportable Outside Activities (III.B.1). Any approval of the use of IT Resources under such policies is at the sole discretion of the University and must:

Comply with all University software licenses and other intellectual property agreements,

Comply with all University policies and practices,

Comply with federal and state laws and regulations,

Not generate additional costs to the University, and

Not interfere with University work or use of IT Resources.

In most instances, non-Purdue sources of email, Internet access or other information technology services must be used for activities that are unrelated to the University’s mission. Modest, incidental and non-recurring personal uses of IT Resources are tolerated as part of the daily learning and work of all members of the University community, provided that use does not violate any other applicable University policy or regulation.

All users of IT Resources are held responsible for any actions performed using their IT Resource accounts. Violations of this policy or any other University policy or regulation may be subject to revocation or limitation of IT Resource privileges as well as other disciplinary actions or may be referred to appropriate external authorities.

The University makes no warranties of any kind, whether expressed or implied, with respect to the IT Resources it provides. The University will not be responsible for damages resulting from the use of IT Resources, including, but not limited to, loss of data resulting from delays, non-deliveries, missed deliveries, service interruptions caused by the negligence of a University employee, or by any user’s error or omission. The University specifically denies any responsibility for the accuracy or quality of information obtained through IT Resources, except material that is presented as an official University record.

REASON FOR THIS POLICY

This policy outlines the responsible use of all University IT Resources. The University provides IT Resources to support its ongoing missions of discovery, delivery and engagement.

INDIVIDUALS AND ENTITIES AFFECTED BY THIS POLICY

This policy covers students, faculty, staff and all individuals or entities using any IT Resource and all uses of such IT Resources.

WHO SHOULD KNOW THIS POLICY

President
Chancellors
Vice Presidents
Vice Chancellors
Vice Provosts
Deans and Directors
Department Heads and Chairs
Faculty
Staff
Students
Any other individual or entity using IT Resources

EXCLUSIONS

This policy does not cover personally-owned technology devices that are not connected to or otherwise using University IT Resources.

This policy does not apply to cyber-security research activities that, by their very nature, violate the scope of this policy. Such research must be carried out in a manner that employs sufficient and appropriate safeguards to contain the research to pre-defined and intended University IT Resources. Such research must be safeguarded from conception to termination of the research. In addition, such research must not interfere with or compromise the operation or security of other University IT Resources. Faculty, staff and students conducting cyber-security research are strongly encouraged to consult with their campus or departmental IT staff to ensure that appropriate safeguards are in place for that research.

Electronic information resources and the data contained in those resources

E-mail facilities

Peripherals (such as printers, copiers and fax machines)

Purdue, University and Purdue University
Any campus, unit, program, association or entity of Purdue University, including but not limited to Indiana University-Purdue University Fort Wayne, Purdue University Calumet, Purdue University North Central, Purdue University West Lafayette, Purdue Cooperative Extension Service and Purdue University College of Technology Statewide.

RESPONSIBILITIES

ITaP Networks and Security and Each Regional Campus Area Designated as Responsible for Information Assurance, Security and Awareness Activities

Facilitate the establishment and maintenance of standards and technical reference materials to support this policy and post such information online.

Centralized and Departmental IT Units and IT Resource Owners (and designees)

Implement and monitor compliance with this policy and related standards on IT Resources within their areas of responsibility.

Ensure that reasonable measures have been taken to secure IT Resources within their areas of responsibility. Physically secure IT Resources within their areas of responsibility. IT Resources may require differing levels of physical security depending on the classification of the data that they process, the systems they access and their cost.

Users of IT Resources

Use IT Resources in compliance with all applicable laws and University policies.

Be familiar with and consult online security standards and technical reference materials as applicable to their use of IT Resources.

Physically secure and safeguard IT Resources within the user's possession and control depending on the classification of the data that they process, the systems they access, and their cost.

Report violations of this policy and/or suspected IT Incidents immediately and in accordance with the University’s policy on Incident Response (VII.B.3).

PROCEDURES

Establishment and Maintenance of Standards

Each campus will establish, maintain and make available online standards and technical reference materials to support this policy. For the West Lafayette campus, Purdue Cooperative Extension Service and Purdue University College of Technology Statewide, ITaP Security and Policy will facilitate this process. For the Regional Campuses, the area designated on each Regional Campus as responsible for information assurance, security and awareness activities under the Policy on Delegation of Administrative Authority and Responsibility for Information Assurance, Security and Awareness (WL-4) will facilitate this process.

Centralized and departmental IT units and IT Resource owners and their designees must follow campus standards issued in support of this policy. These areas may also issue additional guidelines, procedures or other requirements regarding the use and security of IT Resources within their areas of responsibility. Specific reference materials may vary from department to department.

Security Policy Exceptions

Purdue University information security policies institute controls that are used to protect Purdue University data and IT Resources. While every exception to a policy or standard weakens protection for IT Resources and underlying data, occasionally exceptions will exist. In the event that a unit does not believe it can fulfill the requirements of this policy or its related standards and guidelines, the unit must request a policy exception.

For the West Lafayette Campus, Purdue Cooperative Extension Service and Purdue University College of Technology Statewide, policy exception requests shall be directed to ITaP Security and Policy.

For the Regional Campuses, policy exception requests shall be directed to the area designated on each Regional Campus as responsible for information assurance, security and awareness activities under the Policy on Delegation of Administrative Authority and Responsibility for Information Assurance, Security and Awareness (WL-4).